REST POST Call Using x-www-form-urlencoded Type

0
Hi Everyone,   I'm trying to make an API call to update an access token using a refresh token that I have already had granted as part of an OAuth process. I have been able to make this work using Postman and Power Automate, but when I come to do the same thing in Mendix I get either {"invalid_client"} or {"invalid_grant"} error messages. I'm using exactly the same clientid, secret and refresh token in Mendix as I've used on both the other platforms.   The trick I think is that the call requires an x-www-form-urlencoded POST call structure, but I've tried adding the keys in the call body (with and without quotation marks), adding them into the POST header (again, with and without quotes) and have moved several parameters around in case there is a specific order that the parameters need to be in (this isn't documented by the service provider and doesn't seem to be necessary in Postman etc).    I have also tried to use the Consumed Rest Service (beta) function and while this seems easier than the regular REST Call Microflow activity, ultimately I end up with the same errors - invalid_client or invalid_grant.   I've read and re-read this article by Ryan Mocke Configuring REST services in Mendix | by Ryan Mocke | Mendix Community | Medium and it has some useful pointers, and I've looked at a number of the other questions posed about the x-www-form-urlencoded request type but I still end up with the same errors.    Has anyone seen anything similar who can give me some pointers towards a solution?   Thanks!
asked
9 answers
0

Hi David,

 

That's unfortunate! Maybe share some screenshots of your work, then we might be able to spot small mistakes!? It could be that your Identity Provider (IdP) is a bit picky on the lines sent. What is your IdP? You can set the debug level of the REST Consume log node to Trace to inspect what is actually been sent and if everything looks fine maybe involve someone from the IdP to point out the issue.

 

I've implemented refresh mechanism more than once, maybe you spot any differences with your solution:

image.png

image.png

 

answered
0

Thanks Johan,

 

I've replicated your structure as best I can but am still getting errors - I'm back to 'invalid_grant' which I'm sure can't be due to credentials as Postman works. Here are the structures I've used:

 

image.png

 

image.png

 

image.png

 

image.png

 

I haven't got as far as importing the response yet, because I don't get one.

 

Thanks!

answered
0

Try putting the log level of 'REST Consume' to TRACE. This will output the full request being made to the logs. You can then compare this to the known working call from Postman. I suspect there is a value that isn't being escaped properly, but this should allow you to confirm that.

 

Good luck.

answered
0

Hi Everyone,

 

Here's the stack trace:

 

Response content for POST request to https://id.jobadder.com/connect/tokenHTTP/1.1 400 Bad RequestDate: Fri, 14 Feb 2025 00:10:45 GMTContent-Type: application/json; charset=utf-8Content-Length: 25Connection: keep-aliveX-UA-Compatible: IE=edgecf-cache-status: DYNAMICX-XSS-Protection: 1; mode=blockx-content-type-options: nosniffreferrer-policy: strict-origin-when-cross-originstrict-transport-security: max-age=31536000; includeSubDomains; preloadcontent-security-policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: android-webview-video-poster: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline'; frame-ancestors * data: blob:;x-frame-options: SAMEORIGINServer: cloudflareCF-RAY: 9118d644c820d5de-SYD

{"error":"invalid_grant"}

answered
0

As it all seems modeled very well and also the error message is quite clear (request understood, but denied), I now have the strong feeling that you miss the scope offline_access in your initial requested access token.

Strictly speaking: only with the offline_access, one is allowed to use the refresh mechanism.

Could you try to add that in the initial token request?

The other option could be that you are not using the latest refresh_token. I see you use a constant for it, but refresh_tokens may become invalid by expiration or revocation.

answered
0

Hi Everyone, 

 

Here's a screenshot of the log message - you can see there's 'something' at the end of the string and that's what the API endpoint isn't liking:

 

mendixstring.png

answered
0

Hi Everyone,

 

An update on this one. Whatever I tried, the API provider always recieved a newline character at the end of the request line. Cutting the requerst line out of Mendix and into e.g. notepad also showed a newline had been added. It may well be a frailty on the part of the API provider, but to get around this I created my own Java Action using this walktrough Extend Your Application with Custom Java | Mendix Documentation and with some help from ChatGPT and it works beautifully. 

 

Thanks everyone for your input and help on this one!

answered
0

Hi David,

 

I worked on this similar issue before. For this type of call you have other way to fix.

 

As pre req:

This service is working fine in postman with valid grant.

Header you are using is correct : Content-Type: application/x-www-form-urlencoded

-----

Now for this content type, you convert the url encoded parameters to Base 64 encoded format and pass in the URI section.

 

Example :

 

grant_type=refresh_token&client_id=1234Id&client_secret=secretKey

 

Convert this "refresh_token&client_id=1234Id&client_secret=secretKey" base 64 encoded format (hash string) and pass it through the API

 

Make sure the spaces are replaced with + or %20  (please check your Client Id and secret - as your target service provider to validate or request to convert and share the values). 

 

Hope this helps, keep me posted

 

answered
0

Maybe you accidentally configured a space or line break in the refresh token constant. Could you try adding the trim function like this:

'&refresh_token=' + trim(@JobAdderModule.CONST_REFRESH_TOKEN)

 

answered